DerScanner
Home / Vulnerability Database / Ruby : Using "send" version, designed for testing
Ruby

Ruby : Using "send" version, designed for testing

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access Control
PCI DSS 4.0
2.2.56.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-749CWE-1033

Overview

send usage may cause undesired access to private (protected) fields of the class.

Notes:

  • besides testing private fields, send (__send__) commonly used for dynamically generated class fields and methods;
  • even if your application forces the user to choose from fixed alternatives inside the UI, it’s not going to save you from editing of the request;
  • you can redefine send as your function, then you can access built-in method through __send__.

References

  1. Injection Send Public send
  2. CWE-1033
  3. CWE-749
LOW

DerScanner Severity Score

Do you want to fix Ruby : Using "send" version, designed for testing in your application?

See also

Ruby

Ruby : Weak hashing algorithm

Ruby

Ruby : Empty encryption key

Ruby

Ruby : Hardcoded sensitive data